ldapsdk
ldapsdk copied to clipboard
pingidentity
unboundid-ldapsdk mutual TLS usage examples in Java
Hi, Are there any examples on how to unboundid-ldapsdk in Java for mutual TLS? Could you please provide information on which version of unboundid-ldapsdk supports mutual TLS?
I assume that you’re asking about writing LDAP clients. In that case, the LDAP SDK has always supported mutual TLS. To use it, you need to have access to a key store containing the client certificate chain. If you’re using the SSLUtil class, then you can do that by providing an appropriate key manager to the SSLUtil constructor, and then use that SSLUtil object to create an SSLSocketFactory for use when creating an LDAPConnection or LDAPConnectionPool. For example:
KeyStoreKeyManager keyManager = new KeyStoreKeyManager(pathToKeyStore,
keyStorePIN, keyStoreFormat, certificateAlias);
TrustStoreTrustManager trustManager = new TrustStoreTrustManager(
(pathToTrustStore, trustStorePIN, trustStoreFormat,
examineValidityDates);
SSLUtil sslUtil = new SSLUtil(keyManager, trustManager);
LDAPConnection conn = new LDAPConnection(sslUtil.createSSLSocketFactory(),
serverAddress, serverPort);
There are several places in the LDAP SDK where we do something like this, but one good place to look for an example would be the LDAPCommandLineTool.createSSLUtil method. That method creates an SSLUtil object based on the arguments provided when running a command-line tool.
Note that the above code will just cause the client to send a certificate chain to the server if one is requested. If you actually want to use that certificate chain for LDAP authentication, then you need to perform a SASL bind on that connection with the EXTERNAL mechanism. That is as simple as:
BindResult bindResult = conn.bind(new EXTERNALBindRequest());
If you’re asking about the in-memory directory server that the LDAP SDK provides, then support for mutual TLS authentication was only added fairly recently, in the 5.1.2 release. In that case, you should use the requestClientCertificate and requireClientCertificate arguments when creating an InMemoryListenerConfig object for the TLS-enabled listener.
@dirmgr Thanks for the information.
I am asking for Ldap client related only. Have some more queries
We have following files from which need to generate key store and trust store.
- clientcert.pem (client certificate)
- clientkey.pem (client private key)
- cacert.pem (CA certificate)
Is there anyway dynamically generate keystore and truststore using above pem files?
If we are using SSLUtil class to create SSLContext() then how to pass allowed ciphers and we want to use startTLS feature. If you can guid eit would be helpful.
At present, the LDAP SDK doesn’t directly support using PEM files as a key or trust store. However, it does provide a manage-certificates tool that you can use either from the command line or programmatically to import data from PEM files into key and trust stores.
To create the key store, you would use a command like the following:
tools/manage-certificates import-certificate \
--keystore {pathToKeyStore} \
--prompt-for-keystore-password \
--alias client-cert \
--certificate-file clientcert.pem \
--certificate-file cacert.pem \
--private-key-file clientkey.pem
The {pathToKeyStore} argument should be replaced with the path or name to the key store file that you want to create or update. The key store needs a password (sometimes called a PIN) to protect its contents, so you’ll need to provide that, too (alternatively, you can provide it directly on the command line with the --keystore-password argument, or you can point to a file containing the password with the --keystore-password-file argument).
To create the trust store, you should just need to import the CA certificate. The command to do that will look something like:
tools/manage-certificates import-certificate \
--keystore {pathToTrustStore} \
--prompt-for-keystore-password \
--alias ca-cert \
--certificate-file cacert.pem
Both key and trust store files use the same format, but key stores need the full certificate chain with a private key, whereas trust store files just need the issuer certificates.
Note that if you want, you can also invoke the tool programmatically to create the key and trust store files on the fly. Just call the com.unboundid.util.ssl.cert.ManageCertificates.main method that takes input and output streams and an appropriate array of arguments.
Once you have the key and trust store files, then you can create an SSLUtil instance like I pointed out in my earlier comment. By default, the LDAP SDK does a pretty good job of picking the cipher suites that should be used, but you can override that by calling SSLUtil.setEnabledSSLCipherSuites. There is also a setEnabledSSLProtocols method if you want to control the protocol versions.
If you’re going to use StartTLS, then there are a couple of ways to accomplish that. If you’re using a standalone connection, then you should create a new com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest using an SSLSocketFactory created from the SSLUtil instance. If you’re going to use a connection pool, then you should create the pool with a StartTLSPostConnectProcessor, as that will ensure that all new connections created for use in the pool have the StartTLS extended request invoked automatically to secure the connections as soon as they have been established.
Just want to confirm the understanding is correct or not.
SSLUtil sslUtil = new SSLUtil(keyStoreManager, trustStoreManager); // Here client provides its certificate to server for validation and client validates server certificates against trustStoreManager
SSLUtil sslUtil = new SSLUtil(keyManager, new TrustAllTrustManager()); // Here client provides its certificates to server for validation but client doesn't validate server certificate.
Yes, that is correct. Although I would not recommend using the latter because it increases the potential for the client to be tricked into connecting to an impostor rather than the legitimate server.
During the TLS handshake, the Java LDAP client-instances must verify the server-certificate (validity, signature …) and check the identity presented by the server in the certificate. How to check the server identity?
Note: We are using startTLS method like below.
SSLUtil sslUtil = new SSLUtil(keyStoreManager, trustStoreManager);
SSLContext sslContext = sslUtil.createSSLContext();
StartTLSExtendedRequest startTLSRequest = new StartTLSExtendedRequest(sslContext);
ExtendedResult startTLSResult = connection.processExtendedOperation(startTLSRequest);
if (startTLSResult.getResultCode() != ResultCode.SUCCESS) {
logger.error("MTLS secure connection failed");
else{
logger.info("Secured the connection");
}
The trust manager is responsible for verifying that the certificate is valid and should be trusted. Since it looks like you're using a trust store trust manager, then that's the component that is responsible for ensuring that the presented certificate chain is valid and signed by a trusted issuer.
@dirmgr Thanks for the information.
We have further queries on this topic.
- Does unbounded library supports X.509v3 certificate ?
- For RSA certificate a) supported key length ? Example : 2048 b) which signature algorithms are supported or which are not supported ? Example : SHA256withRSA
- Does unbounded library supports below extensions ? keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE
- Which all ECC certificate curves are supported by unbounded library ? Example : secp256k1,prime256v1.....
- For ECC certificate which signature algorithms are supported or which are not supported ?
The LDAP SDK doesn't directly implement support for TLS, but rather uses the TLS implementation provided by the underlying JVM. As such, you should consult the documentation for the particular version of Java that you're using.
I can't imagine that any version of that the LDAP SDK will run on doesn't support X509v3, RSA keys of at least 2048 and 4096 bits, and all of the extensions that you referenced.
For the algorithms, you should be able to determine some of this programmatically by getting the list of Provider instances and looking at the Service instances that it supports. Here's a sample program that can do that:
import java.security.Provider;
import java.security.Security;
public class ListJavaProviderServices
{
public static void main(final String... args)
throws Exception
{
for (final Provider provider : Security.getProviders())
{
System.out.println("Provider: " + provider.getName() + " (" +
provider.getClass().getName() + ")");
for (final Provider.Service service : provider.getServices())
{
System.out.println(" Type=" + service.getType() + ", Algorithm=" +
service.getAlgorithm());
}
System.out.println();
}
}
}
And here's the output that I get when running on the Java 16 with the Azul Zulu JVM:
Provider: SUN (sun.security.provider.Sun)
Type=MessageDigest, Algorithm=SHA3-224
Type=Signature, Algorithm=NONEwithDSA
Type=KeyFactory, Algorithm=DSA
Type=Configuration, Algorithm=JavaLoginConfig
Type=Signature, Algorithm=SHA3-512withDSA
Type=MessageDigest, Algorithm=SHA3-384
Type=MessageDigest, Algorithm=SHA3-256
Type=Signature, Algorithm=SHA1withDSA
Type=Signature, Algorithm=SHA512withDSA
Type=CertificateFactory, Algorithm=X.509
Type=MessageDigest, Algorithm=SHA-1
Type=KeyStore, Algorithm=CaseExactJKS
Type=MessageDigest, Algorithm=SHA-512/256
Type=KeyStore, Algorithm=DKS
Type=Signature, Algorithm=SHA3-384withDSA
Type=AlgorithmParameters, Algorithm=DSA
Type=CertStore, Algorithm=Collection
Type=Signature, Algorithm=SHA3-224withDSA
Type=Signature, Algorithm=SHA3-256withDSA
Type=Signature, Algorithm=SHA384withDSA
Type=Signature, Algorithm=SHA384withDSAinP1363Format
Type=Signature, Algorithm=SHA224withDSA
Type=MessageDigest, Algorithm=SHA-384
Type=Signature, Algorithm=SHA256withDSA
Type=MessageDigest, Algorithm=SHA-256
Type=MessageDigest, Algorithm=SHA-512/224
Type=MessageDigest, Algorithm=SHA-224
Type=MessageDigest, Algorithm=SHA-512
Type=MessageDigest, Algorithm=MD5
Type=CertPathBuilder, Algorithm=PKIX
Type=KeyPairGenerator, Algorithm=DSA
Type=MessageDigest, Algorithm=MD2
Type=AlgorithmParameterGenerator, Algorithm=DSA
Type=SecureRandom, Algorithm=SHA1PRNG
Type=Signature, Algorithm=NONEwithDSAinP1363Format
Type=Signature, Algorithm=SHA3-512withDSAinP1363Format
Type=Signature, Algorithm=SHA256withDSAinP1363Format
Type=Signature, Algorithm=SHA3-224withDSAinP1363Format
Type=SecureRandom, Algorithm=NativePRNGNonBlocking
Type=KeyStore, Algorithm=PKCS12
Type=Signature, Algorithm=SHA224withDSAinP1363Format
Type=SecureRandom, Algorithm=DRBG
Type=SecureRandom, Algorithm=NativePRNGBlocking
Type=MessageDigest, Algorithm=SHA3-512
Type=CertStore, Algorithm=com.sun.security.IndexedCollection
Type=Policy, Algorithm=JavaPolicy
Type=KeyStore, Algorithm=JKS
Type=Signature, Algorithm=SHA3-384withDSAinP1363Format
Type=CertPathValidator, Algorithm=PKIX
Type=Signature, Algorithm=SHA512withDSAinP1363Format
Type=Signature, Algorithm=SHA3-256withDSAinP1363Format
Type=Signature, Algorithm=SHA1withDSAinP1363Format
Type=SecureRandom, Algorithm=NativePRNG
Provider: SunRsaSign (sun.security.rsa.SunRsaSign)
Type=KeyFactory, Algorithm=RSA
Type=KeyPairGenerator, Algorithm=RSA
Type=KeyFactory, Algorithm=RSASSA-PSS
Type=Signature, Algorithm=SHA256withRSA
Type=KeyPairGenerator, Algorithm=RSASSA-PSS
Type=Signature, Algorithm=SHA1withRSA
Type=Signature, Algorithm=SHA3-384withRSA
Type=Signature, Algorithm=SHA3-256withRSA
Type=Signature, Algorithm=SHA3-512withRSA
Type=Signature, Algorithm=SHA3-224withRSA
Type=Signature, Algorithm=MD2withRSA
Type=Signature, Algorithm=RSASSA-PSS
Type=Signature, Algorithm=MD5withRSA
Type=Signature, Algorithm=SHA512withRSA
Type=Signature, Algorithm=SHA512/224withRSA
Type=Signature, Algorithm=SHA224withRSA
Type=Signature, Algorithm=SHA384withRSA
Type=Signature, Algorithm=SHA512/256withRSA
Type=AlgorithmParameters, Algorithm=RSASSA-PSS
Provider: SunEC (sun.security.ec.SunEC)
Type=Signature, Algorithm=SHA3-384withECDSA
Type=KeyPairGenerator, Algorithm=Ed448
Type=Signature, Algorithm=SHA3-224withECDSA
Type=KeyPairGenerator, Algorithm=Ed25519
Type=KeyFactory, Algorithm=Ed25519
Type=Signature, Algorithm=SHA224withECDSA
Type=Signature, Algorithm=SHA512withECDSA
Type=Signature, Algorithm=NONEwithECDSAinP1363Format
Type=Signature, Algorithm=Ed448
Type=Signature, Algorithm=SHA384withECDSA
Type=Signature, Algorithm=SHA3-384withECDSAinP1363Format
Type=Signature, Algorithm=NONEwithECDSA
Type=Signature, Algorithm=SHA3-224withECDSAinP1363Format
Type=Signature, Algorithm=SHA256withECDSA
Type=Signature, Algorithm=SHA3-512withECDSA
Type=KeyAgreement, Algorithm=XDH
Type=Signature, Algorithm=SHA3-256withECDSA
Type=KeyFactory, Algorithm=XDH
Type=KeyFactory, Algorithm=Ed448
Type=Signature, Algorithm=Ed25519
Type=KeyPairGenerator, Algorithm=X448
Type=Signature, Algorithm=SHA3-512withECDSAinP1363Format
Type=Signature, Algorithm=SHA384withECDSAinP1363Format
Type=Signature, Algorithm=SHA512withECDSAinP1363Format
Type=Signature, Algorithm=SHA1withECDSA
Type=KeyPairGenerator, Algorithm=X25519
Type=KeyPairGenerator, Algorithm=EC
Type=KeyAgreement, Algorithm=ECDH
Type=Signature, Algorithm=SHA1withECDSAinP1363Format
Type=KeyAgreement, Algorithm=X448
Type=KeyAgreement, Algorithm=X25519
Type=KeyFactory, Algorithm=X25519
Type=KeyFactory, Algorithm=EC
Type=KeyFactory, Algorithm=X448
Type=AlgorithmParameters, Algorithm=EC
Type=Signature, Algorithm=EdDSA
Type=Signature, Algorithm=SHA224withECDSAinP1363Format
Type=KeyPairGenerator, Algorithm=EdDSA
Type=Signature, Algorithm=SHA256withECDSAinP1363Format
Type=Signature, Algorithm=SHA3-256withECDSAinP1363Format
Type=KeyPairGenerator, Algorithm=XDH
Type=KeyFactory, Algorithm=EdDSA
Provider: SunJSSE (sun.security.ssl.SunJSSE)
Type=SSLContext, Algorithm=TLSv1
Type=SSLContext, Algorithm=DTLSv1.2
Type=TrustManagerFactory, Algorithm=PKIX
Type=KeyManagerFactory, Algorithm=NewSunX509
Type=SSLContext, Algorithm=DTLS
Type=SSLContext, Algorithm=DTLSv1.0
Type=SSLContext, Algorithm=TLS
Type=SSLContext, Algorithm=Default
Type=SSLContext, Algorithm=TLSv1.1
Type=Signature, Algorithm=MD5andSHA1withRSA
Type=KeyStore, Algorithm=PKCS12
Type=SSLContext, Algorithm=TLSv1.3
Type=TrustManagerFactory, Algorithm=SunX509
Type=SSLContext, Algorithm=TLSv1.2
Type=KeyManagerFactory, Algorithm=SunX509
Provider: SunJCE (com.sun.crypto.provider.SunJCE)
Type=Cipher, Algorithm=AES_192/CBC/NoPadding
Type=Cipher, Algorithm=AES_192/OFB/NoPadding
Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndDESede
Type=Cipher, Algorithm=AES_192/CFB/NoPadding
Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndRC2_40
Type=Mac, Algorithm=HmacSHA3-256
Type=Cipher, Algorithm=AESWrap_192
Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndRC2_128
Type=Cipher, Algorithm=PBEWithHmacSHA224AndAES_256
Type=KeyPairGenerator, Algorithm=DiffieHellman
Type=Cipher, Algorithm=AES_192/ECB/NoPadding
Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA1
Type=KeyGenerator, Algorithm=HmacSHA384
Type=KeyGenerator, Algorithm=SunTlsKeyMaterial
Type=Cipher, Algorithm=AES_192/GCM/NoPadding
Type=KeyAgreement, Algorithm=DiffieHellman
Type=AlgorithmParameters, Algorithm=PBEWithMD5AndDES
Type=SecretKeyFactory, Algorithm=PBEWithMD5AndDES
Type=Mac, Algorithm=PBEWithHmacSHA512
Type=Cipher, Algorithm=ChaCha20-Poly1305
Type=Cipher, Algorithm=PBEWithHmacSHA384AndAES_128
Type=Cipher, Algorithm=AES_128/ECB/NoPadding
Type=KeyGenerator, Algorithm=AES
Type=Cipher, Algorithm=AES_128/OFB/NoPadding
Type=KeyGenerator, Algorithm=SunTlsMasterSecret
Type=Cipher, Algorithm=AES_128/CBC/NoPadding
Type=Cipher, Algorithm=AESWrap_128
Type=Cipher, Algorithm=AES_128/CFB/NoPadding
Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA512
Type=Cipher, Algorithm=AES_128/GCM/NoPadding
Type=KeyGenerator, Algorithm=SunTlsRsaPremasterSecret
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA224AndAES_128
Type=Mac, Algorithm=HmacPBESHA512
Type=KeyGenerator, Algorithm=HmacSHA256
Type=Mac, Algorithm=HmacSHA3-384
Type=Cipher, Algorithm=AES_256/GCM/NoPadding
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA384AndAES_128
Type=AlgorithmParameters, Algorithm=DESede
Type=Mac, Algorithm=HmacSHA512/224
Type=KeyGenerator, Algorithm=ARCFOUR
Type=KeyGenerator, Algorithm=HmacSHA512/224
Type=AlgorithmParameters, Algorithm=PBES2
Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndRC4_40
Type=SecretKeyFactory, Algorithm=PBEWithSHA1AndRC4_128
Type=Cipher, Algorithm=AES_256/CFB/NoPadding
Type=Cipher, Algorithm=AESWrap_256
Type=KeyGenerator, Algorithm=DES
Type=Cipher, Algorithm=PBEWithMD5AndDES
Type=Mac, Algorithm=HmacSHA3-224
Type=Cipher, Algorithm=AES_256/ECB/NoPadding
Type=Cipher, Algorithm=AES_256/CBC/NoPadding
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA224AndAES_256
Type=Cipher, Algorithm=AES_256/OFB/NoPadding
Type=AlgorithmParameters, Algorithm=AES
Type=Mac, Algorithm=HmacSHA3-512
Type=KeyGenerator, Algorithm=HmacSHA512/256
Type=Mac, Algorithm=HmacSHA512/256
Type=KeyGenerator, Algorithm=HmacSHA3-224
Type=Cipher, Algorithm=DESedeWrap
Type=AlgorithmParameters, Algorithm=DiffieHellman
Type=Cipher, Algorithm=PBEWithHmacSHA224AndAES_128
Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndRC2_128
Type=Mac, Algorithm=HmacPBESHA512/224
Type=KeyGenerator, Algorithm=DESede
Type=Cipher, Algorithm=AES
Type=KeyGenerator, Algorithm=HmacSHA1
Type=KeyGenerator, Algorithm=HmacSHA224
Type=Mac, Algorithm=HmacSHA1
Type=Mac, Algorithm=HmacSHA224
Type=Mac, Algorithm=HmacSHA256
Type=KeyGenerator, Algorithm=HmacSHA3-384
Type=KeyGenerator, Algorithm=HmacSHA3-512
Type=KeyGenerator, Algorithm=HmacSHA3-256
Type=Cipher, Algorithm=ChaCha20
Type=Mac, Algorithm=HmacPBESHA1
Type=KeyFactory, Algorithm=DiffieHellman
Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndRC4_40
Type=AlgorithmParameters, Algorithm=ChaCha20-Poly1305
Type=AlgorithmParameterGenerator, Algorithm=DiffieHellman
Type=Mac, Algorithm=SslMacMD5
Type=Cipher, Algorithm=DESede
Type=Cipher, Algorithm=PBEWithHmacSHA512AndAES_128
Type=AlgorithmParameters, Algorithm=OAEP
Type=AlgorithmParameters, Algorithm=DES
Type=SecretKeyFactory, Algorithm=PBEWithMD5AndTripleDES
Type=Cipher, Algorithm=PBEWithSHA1AndRC2_128
Type=Cipher, Algorithm=PBEWithSHA1AndRC2_40
Type=Cipher, Algorithm=PBEWithSHA1AndDESede
Type=Cipher, Algorithm=PBEWithSHA1AndRC4_128
Type=Cipher, Algorithm=PBEWithSHA1AndRC4_40
Type=KeyGenerator, Algorithm=HmacSHA512
Type=Mac, Algorithm=PBEWithHmacSHA384
Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA384
Type=Mac, Algorithm=PBEWithHmacSHA1
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA224AndAES_256
Type=Cipher, Algorithm=PBEWithHmacSHA512AndAES_256
Type=Cipher, Algorithm=ARCFOUR
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA224AndAES_128
Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndDESede
Type=Mac, Algorithm=HmacSHA384
Type=Mac, Algorithm=HmacSHA512
Type=Mac, Algorithm=HmacPBESHA512/256
Type=Cipher, Algorithm=PBEWithHmacSHA256AndAES_256
Type=AlgorithmParameters, Algorithm=RC2
Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndRC4_128
Type=Mac, Algorithm=HmacPBESHA384
Type=Cipher, Algorithm=AESWrap
Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA256
Type=Cipher, Algorithm=RSA
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA384AndAES_256
Type=Cipher, Algorithm=RC2
Type=AlgorithmParameters, Algorithm=PBEWithSHA1AndRC2_40
Type=Cipher, Algorithm=PBEWithHmacSHA256AndAES_128
Type=Mac, Algorithm=HmacPBESHA256
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA256AndAES_256
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA256AndAES_128
Type=Cipher, Algorithm=PBEWithHmacSHA1AndAES_128
Type=Cipher, Algorithm=DES
Type=Mac, Algorithm=SslMacSHA1
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA256AndAES_128
Type=Mac, Algorithm=PBEWithHmacSHA224
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA256AndAES_256
Type=Cipher, Algorithm=PBEWithMD5AndTripleDES
Type=SecretKeyFactory, Algorithm=PBKDF2WithHmacSHA224
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA1AndAES_128
Type=KeyGenerator, Algorithm=SunTls12Prf
Type=KeyGenerator, Algorithm=Blowfish
Type=Mac, Algorithm=HmacPBESHA224
Type=Mac, Algorithm=PBEWithHmacSHA256
Type=KeyGenerator, Algorithm=HmacMD5
Type=Mac, Algorithm=HmacMD5
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA1AndAES_256
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA512AndAES_128
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA1AndAES_128
Type=SecretKeyFactory, Algorithm=DES
Type=Cipher, Algorithm=PBEWithHmacSHA1AndAES_256
Type=SecretKeyFactory, Algorithm=DESede
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA512AndAES_256
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA1AndAES_256
Type=KeyGenerator, Algorithm=SunTlsPrf
Type=KeyGenerator, Algorithm=RC2
Type=KeyStore, Algorithm=JCEKS
Type=AlgorithmParameters, Algorithm=GCM
Type=AlgorithmParameters, Algorithm=Blowfish
Type=KeyGenerator, Algorithm=ChaCha20
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA384AndAES_256
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA512AndAES_128
Type=SecretKeyFactory, Algorithm=PBEWithHmacSHA512AndAES_256
Type=AlgorithmParameters, Algorithm=PBEWithHmacSHA384AndAES_128
Type=AlgorithmParameters, Algorithm=PBEWithMD5AndTripleDES
Type=Cipher, Algorithm=Blowfish
Type=Cipher, Algorithm=PBEWithHmacSHA384AndAES_256
Provider: SunJGSS (sun.security.jgss.SunProvider)
Type=GssApiMechanism, Algorithm=1.2.840.113554.1.2.2
Type=GssApiMechanism, Algorithm=1.3.6.1.5.5.2
Provider: SunSASL (com.sun.security.sasl.Provider)
Type=SaslClientFactory, Algorithm=DIGEST-MD5
Type=SaslServerFactory, Algorithm=DIGEST-MD5
Type=SaslClientFactory, Algorithm=EXTERNAL
Type=SaslClientFactory, Algorithm=NTLM
Type=SaslServerFactory, Algorithm=NTLM
Type=SaslClientFactory, Algorithm=PLAIN
Type=SaslClientFactory, Algorithm=CRAM-MD5
Type=SaslServerFactory, Algorithm=CRAM-MD5
Provider: XMLDSig (org.jcp.xml.dsig.internal.dom.XMLDSigRI)
Type=TransformService, Algorithm=http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
Type=TransformService, Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature
Type=TransformService, Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#WithComments
Type=TransformService, Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#
Type=TransformService, Algorithm=http://www.w3.org/2002/06/xmldsig-filter2
Type=TransformService, Algorithm=http://www.w3.org/TR/1999/REC-xslt-19991116
Type=TransformService, Algorithm=http://www.w3.org/2006/12/xml-c14n11
Type=TransformService, Algorithm=http://www.w3.org/TR/1999/REC-xpath-19991116
Type=KeyInfoFactory, Algorithm=DOM
Type=TransformService, Algorithm=http://www.w3.org/2000/09/xmldsig#base64
Type=TransformService, Algorithm=http://www.w3.org/2006/12/xml-c14n11#WithComments
Type=XMLSignatureFactory, Algorithm=DOM
Type=TransformService, Algorithm=http://www.w3.org/TR/2001/REC-xml-c14n-20010315
Provider: SunPCSC (sun.security.smartcardio.SunPCSC)
Type=TerminalFactory, Algorithm=PC/SC
Provider: JdkLDAP (sun.security.provider.certpath.ldap.JdkLDAP)
Type=CertStore, Algorithm=LDAP
Provider: JdkSASL (com.sun.security.sasl.gsskerb.JdkSASL)
Type=SaslClientFactory, Algorithm=GSSAPI
Type=SaslServerFactory, Algorithm=GSSAPI
Provider: SunPKCS11 (sun.security.pkcs11.SunPKCS11)